How can the mere possibility of a technology being developed and commercialized in the distant future pose a serious risk today?
Introduction
Glancing up next to the URL in your browser, you will most likely see a small padlock icon indicating that you are browsing securely with the use of HTTPS, a web protocol that encrypts all data sent and received across the internet, allowing only the sender and intended recipient to be able to read the data. This allows us, for example, to safely enter our credit card numbers and personal information when shopping online without any third party being able to steal that information. But encryption is used not only for information transmission but also for information storage. Encrypting files stored on a hard drive or in the cloud involves transforming this data into a secure format that can only be read by those with the correct decryption key.
Encryption and cryptography are the backbone of much of our digital infrastructure. There is, however, an emerging technology on the horizon that might fundamentally break cryptography and therefore the privacy and security of our digital world. This primer will take a closer look at quantum computing (QC), what it is, how it might fundamentally endanger cryptography, and what this means for civil society organizations and other vulnerable communities online.
Cryptography today
How does cryptography work?
Access to information shared over the internet is limited to the intended recipient by ways of cryptography, which uses mathematical algorithms to transform data into a format that is unreadable to third parties. The most widely used form of cryptography on the internet is called asymmetric cryptography, which involves the use of a publicly available encryption key linked with a different, private decryption key. Data is encrypted by the sender using the recipient’s public encryption key, which the recipient can subsequently decrypt using their private decryption key. This is analogous to the way a mailbox works: anyone can put letters into a recipient’s mailbox (public encryption key), but only the intended recipient can read the content by opening the mailbox with their key (private decryption key).
Why is cryptography so important?
Cryptography lies at the foundation of much of our critical infrastructure. It allows us, for example, to safely send messages without worrying about any third party reading along. Cryptography allows hospitals to safely store personal and sensitive medical histories of their patients and journalists to store confidential documents. Consequently, cryptography is an implicit requirement for many of the Sustainable Development Goals (SDGs). Encryption is an enabler of privacy protection and freedom of expression and will play an increasingly important role in safeguarding basic human rights against the backdrop of managing global health crises, disaster response, and emerging currencies.
While all sectors benefit from cryptography, NGOs rely particularly heavily on encryption due to the highly sensitive and confidential information they hold on marginalized and vulnerable communities. These can include, for example, physical addresses of political refugees or lists of victims of racially motivated violence. Cyberattacks and data breaches against civil society organizations can expose this sensitive data and cause significant disruption to their missions.
For example, when the ICRC was attacked in January 2022, not only were the personal data of over five hundred thousand people leaked, but its efforts to reunite family members separated by conflict, disaster, or migration were negatively affected by the loss of data. But the ICRC stands not alone, since organizations such as Oxfam, the Red Cross Blood Service, Save the Children, World Wildlife Fund, and Doctors Without Borders have all experienced data breaches in the last years, potentially exposing the personal data of important stakeholders within the organizations, in their network of partners and donors and, most importantly, of the vulnerable communities they support and work with.
Effective cryptography is essential to ensure that our data and digital transactions remain secure, which is a fundamental requirement for the achievement of the SDGs and particularly crucial for civil society organizations. However, quantum computing will fundamentally break cryptography as we know it today. But this technology might not be usable for cryptographic attacks for another ten to thirty years (according to the NIST report on Post-Quantum Cryptography and the 2023 Quantum Threat Timeline Report), so why are cybersecurity experts so concerned today?
Quantum Computing emerging at the horizon
Quantum computing (QC) is a new approach to computing that goes far beyond the capabilities and performance of traditional computers. In classical computing, information is represented in bits, which are either zeroes or ones. Quantum computing, on the other hand, uses quantum bits (qubits) that can be both ones and zeroes at the same time, taking on so-called superpositions. Harnessing this and other phenomena of quantum physics, such as entanglement, enables a new way of storing and processing information which significantly accelerates the ability to solve certain computational problems. While QC will not replace classical computers, they enable us to solve problems that classical computers, by their nature, cannot solve or are very slow at solving.
QC, enabling the achievment of the SDGs
The list of beneficial applications that arise from these new computational capabilities include chemical and biological simulations, optimizations of logistics, and route planning. These applications promise to open new frontiers and accelerate the achievement of the sustainable development goals by optimizing food supply chains for better food security (addressing SDG 2, no hunger), accelerating drug discoveries (addressing SDG 3, good health and well-being), or by performing simulations of complex molecular structures to accelerating the development of new materials and processes used in solar panels, batteries, and carbon capture techniques (addressing SDG 13, climate action).
The danger to cryptography
How QC will break cryptography as we know it today
This ease of solving such computational problems — which holds many promises for the SDGs — is simultaneously what poses a serious problem for the field of cryptography and cybersecurity. The most commonly used cryptographic algorithms today are based on hard mathematical problems that are impossible to solve with classical computers. However, coupled with specific algorithms that have been theorized since the 1990s, quantum computers will be able to solve these mathematical problems safeguarding cryptography with ease.Once mature, QC will therefore risk breaking the confidentiality, integrity, and authenticity of the digital world as we know it today. Threat actors with access to quantum computers will be able to target everything from autonomous vehicles to military hardware, financial transactions, and electronic communications, as well as passwords, digital signatures, and health records. The same technology that promises to advance our achievement of the SDGs might also endanger them.
QC, endangering the achievement of the SDGs
QC might hinder the achievement of SDG 3 (good health and well-being) by endangering currently encrypted patient records and research data, which could diminish public trust, widen health disparities, and hinder advancements in health research. The digital finance infrastructure (under SDG 8, decent work and economic growth), pivotal for economic stability and growth in the digital age, faces threats from QC through potential breaches in encrypted financial transactions and proprietary data. Concerning objectives in the energy sector set by SDG 9 (industry, innovation, and infrastructure) and 13 (climate action), where encrypted grid control systems manage power distribution, QC’s ability to break these encryptions could result in unauthorized access, leading to blackouts and stalling sustainable energy initiatives. These examples show how QC will increase cybersecurity risks and could substantially threaten the achievement of the goals.
Approaching Y2Q
Quantum computers today are still in their infancy, and only a handful of countries and private companies are developing, building, and using functioning quantum computers. Current quantum computers require a lab environment with ideal conditions at temperatures near absolute zero and with minimal noise from magnetic fields and radiation. Developers will need to solve many issues before QC can be reliably used, which may still take years or decades. Current estimates on when QC will be able to break cryptography vary. Some experts believe the quantum threat to cryptography will materialize in the next 10 years, while more conservative estimates put Y2Q — the date when quantum computers will defeat public-key cryptography — in around 15-30 years.
However, despite this timeframe, cybersecurity experts are already ringing the alarms. This is for two reasons. First, although it might take a while for QC to mature and become widely available, threat actors can harvest encrypted data, communications, and transactions now, in order to decrypt them later once QC is more developed and widely available. This concept of “harvest now, decrypt later” is especially dangerous for encrypted data that remains sensitive for decades and can still cause harm once decrypted in the future. The second reason is that the development of and migration to a quantum-safe cryptography algorithm will take significant time and resources and must be started today to prepare for a post-quantum world.
Post-quantum cryptography
To ensure digital security in a post-quantum age, quantum-safe cryptography algorithms are being designed to secure against the threats of QC. In 2022, The US Department of Commerce’s National Institute of Standards and Technology (NIST) chose the first group of four quantum-safe encryption tools after a call for proposals in 2016. These algorithms use new approaches to cryptography that can be implemented using today’s classical computers while being resistant to attacks from tomorrow’s quantum ones. NIST anticipates that a post-quantum cryptography standard will be available by the end of 2024, at which point organizations should migrate to quantum-safe systems in the following ten years.
However, the widespread adoption of such quantum-safe algorithms, the establishment of new standards and protocols, and the ultimate migration of currently used cryptography algorithms to quantum-safe ones are arduous and delicate. For the padlock in our browsers to indicate a quantum-safe internet connection will take time and require significant effort from the international community and individual stakeholders. Considering that it took the NIST six years to evaluate and choose four contenders for quantum-safe cryptography algorithms, we will have to start discussions at a global level now if we want to collectively prepare for Y2Q.
Encryption, civil society, and access to quantum-safe cryptography
As explored above, NGOs are particularly targeted by data-related cyberattacks due to the sensitive nature of the data they hold. The arrival of QC will only offer even greater capabilities for malicious actors to carry out these attacks. Therefore, the uptake of new quantum-safe cryptography algorithms will be essential for their digital security. However, transitioning to quantum-safe encryption algorithms will not only entail a significant financial cost but also require both expertise and time which the NGO may not have access to.
To help NGOs transition to a post-quantum world, four things will be necessary. First and foremost, there needs to be a collective push for education and awareness-raising on the risks of QC and the existence of quantum-safe cryptography. Second, the international community must actively work on implementing new cryptography standards globally so that the most vulnerable continue to be protected in the digital world. The NIST has kickstarted this conversation and has identified possible candidates for quantum-safe algorithms, but these efforts need to be continued. Third, once developed, quantum-safe cryptography algorithms must be made available to NGOs, and systems of knowledge-sharing must be implemented so that NGOs can have access to experts who help them migrate their encryption systems. Finally, donors must include cybersecurity and cryptography clauses in their grantmaking so that NGOs receive the funds required to protect themselves from threats of today and tomorrow.
Conclusion
QC, promise and peril
QC will likely be a revolutionary step in the computing industry, unlocking new frontiers that have been unreachable with traditional computing. However, as with any technology, QC will not be confined to science and industry but will have a societal impact as well. QC development must be accompanied by a human-centric approach tackling the potential risks to encryption and privacy. This approach must ensure that vulnerable communities are aware of the risks of QC to cryptography and how this new technology will change confidentiality and privacy. It also requires providing access to quantum-safe cryptography — in terms of the open-access algorithms, the know-how, and the resources — to transition to a secure post-quantum digital sphere.
The path ahead
On the bright side, some interesting initiatives and developments are happening around the world. Leading QC corporations have committed to responsible quantum computing, such as, for example, IBM with its Responsible Quantum Principles, Microsoft through its Quantum Safe Program, and Google with its “Our focused and responsible approach to quantum computing.“ The World Economic Forum partnered with experts from both the private sector and academia and published reports on Quantum Computing Governance Principles and on the Quantum Economy. Stanford Law School launched the Stanford Center for Responsible Quantum Technology, which is part of an emerging and growing field of responsible quantum academic research. In Geneva, the Open Quantum Institute (OQI), a program designed by GESDA and hosted by CERN, aims to maximize the societal benefits of quantum computing by ensuring broad access to its resources and expertise, while also extending cutting-edge technology to underserved regions to help bridge emerging digital divides.
On our side, we aim to continue closely monitoring the development of QC and how civil society organizations and the most vulnerable will be impacted. Mitigating the risk of QC to cybersecurity will truly require a multi-stakeholder approach. All stakeholders have their part to play in making sure that the most vulnerable are ready for Y2Q — once it arrives.